Paper 2023/1239

CSI-Otter: Isogeny-based (Partially) Blind Signatures from the Class Group Action with a Twist

Shuichi Katsumata, National Institute of Advanced Industrial Science and Technology, PQShield Ltd.
Yi-Fu Lai, University of Auckland
Jason T. LeGrow, Virginia Polytechnic Institute and State University
Ling Qin, University of Auckland
Abstract

In this paper, we construct the first provably-secure isogeny-based (partially) blind signature scheme. While at a high level the scheme resembles the Schnorr blind signature, our work does not directly follow from that construction, since isogenies do not offer as rich an algebraic structure. Specifically, our protocol does not fit into the "linear identification protocol" abstraction introduced by Hauck, Kiltz, and Loss (EUROCYRPT'19), which was used to generically construct Schnorr-like blind signatures based on modules such as classical groups and lattices. Consequently, our scheme is provably-secure in the poly-logarithmic (in the number of security parameter) concurrent execution and does not seem susceptible to the recent efficient ROS attack exploiting the linear nature of the underlying mathematical tool. In more detail, our blind signature exploits the "quadratic twist" of an elliptic curve in an essential way to endow isogenies with a strictly richer structure than abstract group actions (but still more restrictive than modules). The basic scheme has public key size $128$~B and signature size $8$~KB under the CSIDH-512 parameter sets---these are the smallest among all provably secure post-quantum secure blind signatures. Relying on a new "ring" variant of the group action inverse problem rGAIP, we can halve the signature size to 4~KB while increasing the public key size to 512~B. We provide preliminary cryptanalysis of rGAIP and show that for certain parameter settings, it is essentially as secure as the standard GAIP. Finally, we show a novel way to turn our blind signature into a partially blind signature, where we deviate from prior methods since they require hashing into the set of public keys while hiding the corresponding secret key---constructing such a hash function in the isogeny setting remains an open problem.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
A major revision of an IACR publication in CRYPTO 2023
DOI
https://doi.org/10.1007/978-3-031-38548-3_24
Keywords
Blind signatureIsogeny cryptographyPost-quantum cryptographyGroup action
Contact author(s)
shuichi katsumata @ pqshield com
27182818284fu lai @ gmail com
jlegrow @ vt edu
lqin276 @ aucklanduni ac nz
History
2023-08-21: approved
2023-08-16: received
See all versions
Short URL
https://ia.cr/2023/1239
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1239,
      author = {Shuichi Katsumata and Yi-Fu Lai and Jason T. LeGrow and Ling Qin},
      title = {{CSI}-Otter: Isogeny-based (Partially) Blind Signatures from the Class Group Action with a Twist},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1239},
      year = {2023},
      doi = {https://doi.org/10.1007/978-3-031-38548-3_24},
      url = {https://eprint.iacr.org/2023/1239}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.